CICD: Add SLSA build attestation to release workflow

.github/workflows/release_draft.yml

@@ -8,6 +8,8 @@ on:
 
 jobs:
   draft_release:
+    outputs:
+      hashes: ${{ steps.collect.outputs.hashes }}
     name: draft release
     runs-on: ubuntu-latest
     permissions:
@@ -61,3 +63,22 @@ jobs:
         args: release
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    -
+      name: Collect artifact digests
+      id: collect
+      run: |
+        echo "generating digests for artifacts"
+        echo "hashes=$(find dist -type f \( -name \*dnscontrol\* -o -name \*checksums.txt \) -exec sha256sum {} \; | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+  slsa:
+    needs: [draft_release]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: ${{ needs.draft_release.outputs.hashes }}
+      upload-assets: true
+      draft-release: true

README.md

@@ -3,6 +3,7 @@
 [![StackExchange/dnscontrol/build](https://github.com/StackExchange/dnscontrol/actions/workflows/pr_build.yml/badge.svg)](https://github.com/StackExchange/dnscontrol/actions/workflows/pr_build.yml)
 [![Google Group](https://img.shields.io/badge/google%20group-chat-green.svg)](https://groups.google.com/forum/#!forum/dnscontrol-discuss)
 [![PkgGoDev](https://pkg.go.dev/badge/github.com/StackExchange/dnscontrol)](https://pkg.go.dev/github.com/StackExchange/dnscontrol/v4)
+[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)
 
 [DNSControl](https://docs.dnscontrol.org/) is a system
 for maintaining DNS zones.  It has two parts:

SECURITY.md

@@ -13,3 +13,20 @@ When a major version is incremented, we'll support the previous major version fo
 To report a vulnerability please [create a new GitHub "issue"](https://github.com/StackExchange/dnscontrol/issues/new/choose).
 
 We will respond in a best-effort manner, usually within 1 week. We will communciate via the GitHub issue unless we need to communicate privately, in which case we'll arrange a way to communicate directly.
+
+## Build Attestation
+
+DNSControl uses GitHub Actions and workflows from the SLSA Framework to produce verifiable builds.
+
+<!-- FIXME: version reference below -->
+
+The [releases page](https://github.com/StackExchange/dnscontrol/releases) includes an attestation document (`multiple.intoto.jsonl`) in the list of files associated with each release since vFIXME. This file contains the signed attestation that can be used to verify the provenance of the files associated with each release.
+
+The [SLSA verifier](https://github.com/slsa-framework/slsa-verifier) tool can be used to confirm the authenticity of DNSControl releases. To manually verify a downloaded build artifact and the `multiple.intoto.jsonl` file, use the `slsa-verifier` utility to confirm the artifact was signed:
+
+```shell
+slsa-verifier verify-artifact dnscontrol_4.19.0_darwin_all.tar.gz \
+  --provenance-path multiple.intoto.jsonl \
+  --source-uri github.com/StackExchange/dnscontrol \
+  --source-tag v4.20.0
+```